How do you make sense of security, governance, and risk in an age of black-box AI? This week, Raj is joined by Preetam Joshi, founder of Aimon Labs and machine learning veteran with experience at DRDO, Yahoo, Netflix, and Thumbtack. Together, they break down the technical evolution behind large language models (LLMs), explore the real challenges of explainability, and discuss why GRC teams must rethink risk in the age of autonomous reasoning systems.

Preetam brings a rare mix of hands-on ML expertise and practical experience deploying LLMs in enterprise environments. If you’ve been wondering how transformers work, what explainability really means, or why AI governance is still a mess — this episode is for you.

5 Key Takeaways:

-From DRDO to Netflix to Aimon Labs — Preetam’s career journey shows the intersection of machine learning, security, and entrepreneurship.
-How Transformers Work — A simple breakdown of encoder/decoder architecture, embeddings, and attention mechanisms.
-Explainability in AI — What it meant in traditional ML... and why it’s nearly impossible with today’s LLMs.
-Rule-Based Logic Isn’t Dead — In high-stakes environments, deterministic systems still matter.
-Bridging AI & GRC — Practical steps for model security, auditing, and compliance in non-deterministic systems.

📌 Take Action

• Visit ComplianceCow.com/podcast to catch all episodes
  
  
• Connect with Preetam on LinkedIn
  
  
• Follow the show on Spotify and Apple Podcasts

Security & GRC Decoded is brought to you by ComplianceCow — the platform for proactive, automated compliance.

🎧 Subscribe, rate, and share if this episode sparked a thought.

⏱ Timestamps (approx.)

00:00 – Intro
01:11 – Welcome Preetam to the show
03:20 – What has been your favorite experience working in AI so far?
07:08 – What is transformer architecture and how does it work?
10:23 – How do LLMs solve problems like math or reasoning?
12:38 – Where do agents fit in the LLM ecosystem?
16:07 – How does reinforcement learning apply to AI models?
21:33 – What does explainability mean in ML?
24:55 – Can you explain the limitations of SHAP and parameter-level reasoning?
27:33 – What does GRC look like in the LLM age?
30:58 – What does AIMon Labs actually do?
35:00 – Why is reliability a challenge with LLMs?
39:15 – Where does GRC intersect with AI deployment and compliance?
41:30 – What is fine-tuning and when is it useful?
44:43 – Is Retrieval Augmented Generation (RAG) still relevant with longer context windows?
47:29 – How do we guard against LLM misuse and toxic output?
49:43 – How can LLMs overexpose sensitive company data?
53:28 – Advice for those starting a career in AI or ML
55:34 – What are your favorite models right now?

What if compliance wasn't just about passing audits—but about building trust from the ground up?

In this powerful episode of Security & GRC Decoded, Raj sits down with Ricky Waldron, Director of Security Audit & GRC at Navan, whose GRC experience spans tech giants like Microsoft, Disney, Oracle, and Smartsheet. Ricky shares how GRC is evolving into a strategic business partner, why automation and technical fluency are no longer optional, and what it takes to make compliance an engine of trust, not a blocker.

From FedRAMP horror stories to generative AI workflows, this conversation dives deep into the future of governance, risk, and compliance—and why it's time for GRC teams to start thinking like engineers.

🔑 5 Key Takeaways

• 💥 Compliance = Security (If Done Right): Internal compliance based on risk and business needs often leads to stronger security outcomes than external certifications alone.
• 🤝 Stop Policing, Start Partnering: GRC shouldn’t just point out problems—it should offer solutions and collaborate with teams to reduce risk.
• 📊 Quantify Risk to Speak Leadership’s Language: Turn technical risk into business impact using frameworks like FAIR to get buy-in and budget.
• ⚙️ Automation Is GRC’s Future: From policy drafting with AI to continuous control monitoring, GRC teams must become technical and leverage automation.
• 🧩 GRC as a Sales Enabler: GRC isn't just an internal function—it builds trust with customers, shortens sales cycles, and helps close deals.

✅ Take Action

• Explore risk-first approaches: Lead with R in GRC to align controls with actual business risks.
• Invest in automation: Save engineering hours and scale audits with continuous evidence collection.
• Use GenAI wisely: Leverage it for speed, but ensure strong human review before anything goes to auditors.
  
  

🔗 Powered by ComplianceCow.com – automate audits, collect evidence continuously, and shift GRC left.
🎧 Subscribe to Security & GRC Decoded for weekly insights from today’s top compliance leaders.
💼 Connect with Ricky Waldron on LinkedIn.

⏱ Timestamps (approx.)

00:00 – Intro
01:35 – Hot take on GRC
04:31 – Why GRC & Security clash
08:44 – GRC is storytelling
12:57 – Risk comes before compliance
16:08 – How to talk risk with execs
20:41 – Trust as a compliance goal
24:50 – Keeping your promises
27:54 – Why GRC struggles with automation
33:15 – Speaking engineers’ language
38:50 – GRC as the customer conduit
45:00 – GRC as sales enablement
47:15 – How Ricky learned FedRAMP
50:20 – What is FedRAMP 20X?
52:27 – Why OSCAL hasn’t taken off
56:15 – Would you use OSCAL commercially?
58:36 – GenAI in GRC workflows
1:02:31 – Using AI with auditors
1:06:45 – State of GRC tooling
1:12:30 – Getting budget for automation

Is it time to stop pretending GRC is technical? Alan Luk makes the case for a new kind of compliance leader—and it might surprise you.

In this sharp and unfiltered episode of Security & GRC Decoded, Alan Luk, Director of GRC at Grammarly (and former Microsoft and PwC leader), joins Raj to dismantle common myths about GRC—and why even your engineers might be thinking about it all wrong.

Drawing from over 20 years of experience, Alan makes the case for why GRC should be seen as a program management function, not a technical one—and how that shift unlocks better controls, less friction with engineering, and less painful audits. From audit war stories to his vision for continuous assurance, Alan brings blunt honesty, practical insight, and some well-earned hot takes to the mic.

🔑 Key Takeaways:

✅ Why most companies—and even GRC pros—misunderstand what GRC is actually for
✅ How PM skills (not coding) unlock stronger GRC outcomes and happier engineers
✅ What good compliance teams do before audit season to avoid chaos
✅ Why control owners—not GRC—should own the metrics (and what to do if they don’t)
✅ A bold vision for the future: GRC as an observability layer, not an evidence factory

🎯 Take Action:

→ Rethink what GRC really means inside your org: is it a service, a blocker, or a translator?
→ Audit your compliance program’s audit readiness—do you have metrics or just screenshots?
→ Share this episode with your PMs, engineers, or auditors who still think GRC is just check-the-box

👉 Follow Security & GRC Decoded for fresh insights on how to make your GRC program faster, smarter, and more resilient.
🎙️ Security & GRC Decoded is brought to you by ComplianceCow. Discover how ComplianceCow helps teams move from reactive compliance to proactive control automation.
🚀 Liking the show? Leave a rating and review to help us grow and keep bringing you bold GRC conversations.

💬 Connect with Alan Luk:
💼 LinkedIn: https://www.linkedin.com/in/alan-luk-4027b29/
🌐 Company: https://www.grammarly.com